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1. (Currently Amended) A method for identifying presence of malicious code in program 
code within a computer system, the method comprising: 

initializing a virtual machine within the computer system, the virtual machine comprising 
a virtual personal computer (PC) implemented by software simulating functionality of a central 
processing unit and memory and a virtual operating system simulating functionality of a multi- 
threaded operating system of the computer system; 

virtually executing a target program within the virtual PC so that the target program 
interacts only with an instance of the virtual operating system; 

analyzing behavior of the target program upon completion of virtual execution to identify 
an occuiience of maUcious code behavior based upon an evaluation by the virtual machine of a 
behavior pattem representing information about all functions simulated by the target program 

during virtual execution; 

pftn^tiTi ^ the behavior pattem for the t arget program bv tracking functions performed 
and not performed bv the target program with flags in a behavior pattern field and by tracking a 
sequence in which the functions are called bv the target p rogram with the behavior pattem g^|d; 
and 

terminating the virtual PC after the analyzing process, thereby removing from the 
computer system a copy of the target program that was contained within the virtual PC. 

2. (Previously Presented) The method of claim 1, wherein the virtual PC of the virtual 
machine simulates fimctionality of input/output ports, and the virtual operating system simulates 
functionality of operating system data areas and an operating system application program 
interface. 

3. (Previously Presented) The method of claim 1, wherein the virtual operating system is 
operative to simulate an application program interface call of the operating system by returning a 
correct value to the call without completing actual performance of the call. 

4. (Original) The method of claim 2, wherein virtual execution of the target program 
causes the target program to interact with the simulated operating system application program 
interface. 
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5. (Previously Presented) The method of claim 1, wherein the target program is newly 
introduced to the computer system and initiaUy executed by virtually executing the target 
program on the virtual PC. 

6. (Previously Presented) The method of claim 1, wherein after a first instance of the 
target program is analyzed by the virtual machine and a first behavior pattern is generated and 
stored in a database coi^led to the computer system, the method fimher comprising: 

detemiining that the target program is modified; 

analyzing the modified target program by execuring the modified target program in the 
virtual machine to provide a second behavior pattern; and 

comparing within the virtual machine the first behavior pattern to the second behavior 
pattern to determine whether the second behavior pattern is altered fixnn the first behavior pattern 
in a manner indicative of presence of the malicious code in the modified target program. 

7. (Previously Presented) The method of claim 6, wherein a new behavior patton is 
generated each time the target program is modified. 

8. (Previously Presented) The method of claim 6. wherein introduction of the malicious 
code during modification of the target program is detected by comparing the first behavior 
pattern to the second behavior pattem and identifying altered bits indicating an addition of an 
infection procedure to the modified target program. 

9. (Previously Presented) The method of claim 6, wherein the first behavior pattem is 
identified as a match to the second behavior pattern when the modified target program is a new 
version of the fiirst program. 
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10. (Previously Presented) The method of claim I, wherein the behavior pattern 
identifies functions executed in the virtual execution of the target program, the method finther 
comprising tracking an order in which the functions axe virtuaUy executed by the target program 
within the virtual PC to provide a complete record of aU functions simulated by the target 
program, as if the target program were executed on the computer system. 



[The remainder of this page has been intentionally left blank.] 
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11. (Currently Amended) A method for identifying presence of malicious code in 
program code within a computer system, the method comprising: 

initializing a virtual machine within the computer system, the virtual machine comprising 
software sramlating functionality of a cenHal processing unit and memory and a virtual operating 
system simulating functionality of a multi-threaded operating system of the computer system; 

virtually executing a target program with the virtual machine so that the target program 
interacts with an instance of the virtual operating system rather than with the operating system of 
the computer system, whereby the malicious code is fully executed during virtual execution of 
the target program if the target program comprises the malicious code: 

generating a behavior pattern for the target program traclHTifa ; fimctions perfomied and 
not nerfoimed bv the target program w i th flags in a behavior pattern field and fry t^ackinR a 
■sequence in which the functions are calle d hv the target program with the behavior pattern fiel4 
in order to collect information about all fimctions simulated by the target program during virtual 
execution; and 

terminating the virtual machine upon completion of the virtual execution of the target 
program, leaving bdiind a record of tiie behavior pattern that is representative of operations of 
the target program with the computer system, including operations of the malicious code if the 
target program con^rises the malicious code, 

1 2. (Original) The method of claim 1 1 , wherein the record is in a behavior register in the 
computer system. 



[The remainder of this page has been intentionally left blank.] 
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1 3. (Previously Presented) The method of claim 1 1, wherein after a first instance of the 
target program is analyzed by ttie virtual machine and a first behavior patten is generated and 
stored in a database coiqpled to the computer system, the method further comprising: 

determining that the target program is modified; 

analyzing the modified target program by executing the modified target program with the 
virtual machine to provide a second behavior pattern; and 

comparing the first behavior pattern to the second behavior pattern to determuie whether 
the second behavior pattern is altered firom the first behavior pattern in a manner indicative of 
presence of the malicious code in the modified target program. 

14. (Previously Presented) The method of claim 13, wherein a new behavior pattern is 
generated each time the target program is modified. 

15. (Previously Presented) The method of claim 13, wherein introduction of the 
malicious code during modification of the target program is detected by comparing the first 
behavior pattern to the second behavior pattern and identifying altered bits indicating an addition 
of an infection procedure to the modified target program. 

16. (Previously Presented) The method of claim 13, wherein the first behavior pattern is 
identified as a match to the second behavior pattern when the modified target program is a new 
version of the first program. 

17. (Previously Presented) The method of claim 11, wherein the behavior pattern 
identifies all functions executed during the virtual execution of the target program and records an 
order of simulation of the functions. 
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1 8. (Cuirently Amended) A memory storage device comprising computer-executable 
steps for identifying the presence of malicious code in program code in a computer system, 
comprising: 

initializing a virtual machine for the computer system, the virtual machine comprising a 
virtual personal computer (PC) implemented by software simulating functionality of a central 
processing unit memory a virtual operating system simulating functionality of a multi-threaded 
operating 8>^em of the computer s>^em; 

executing a target program within the virtual PC so that the target program completes a 
virtual execution by interacting only with an instance of the virtual operating system; 

generating a behavior pattern by completing virtual execution of the target program 
within tiie virtiial PC and hv tracloD p fimctions performed and not performed by the target 
nropram with fl ^ p* i« a behavior pi^ttem field an d by t r ac king a sequ ence jti which the function s 
are called bv the target program, the behavior pattern represeatative of operational functions 
completed by the target program during virtiial execution, including at least one of virtiial 
operating system calls. Input/Output functions and program functions supported by the target 
program; 

upon completion of virtual execution, operating the virtiial machine to compare the 
behavior pattern generated by virtual execution of the target program to a behavior pattern 
representative of operations by tiie malicious code to identify an occurrence of malicious code 
behavior, and 

in the event that the comparison process results in a match representing an identification 
of malicious code behavior by the target program, then identifying the target program as 
comprising the malicious code. 

1 9. (Currently Amended) The memory storage device of Claim 18 ftirther comprising 
the computer-executable step of removing tiie target program from tiie computer system in 
response to an identification of the target program comprising maUcious code so that the tai^get 
program cannnt affect tiie nerformance of subsequent nrograms executed by ti^^ computer 
system . 
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20. (Cuirently Amended) A memory storage device comprising computer-executable 
steps for identifying the presence of malicious code in program code in a computer system, 
comprising: 

executing a target program within a virtual personal computer (PC) so that the target 
program completes a virtual execution by interacting only with an instance of a virtual operating 
system, the virtual PC comprising software operative to simulate functionality of a processor and 
memory, the virtual operating system operative to simulate fimctionality of a multi-threaded 
operating system for the computer system, the virtual PC and the virtual operating system 
operating in combination to form a virtual machine; 

collecting information about the behavior of the target program during virtual execution 
of the target program by the virtual machine hy tragKiiiR funotjons perfonq^ ^d not performed 
i ^Y tlip target oTQgr^ ^ith fla« in a behavior nattem f ield W tracking a sequ^n.?^ in which 
f^. flinctioTi. are c;.ii^ Hv th« t^get nrx^eram in order to create a record of virtual operations of 
the target program, whereby the record reflects a plurality of operations of the maUcious code if 
the target program comprises the malicious code; 

upon completion of virtual execution of the target program. analy2dng the record with the 
virtual machine to identify an occurrence of maUcious code behavior by comparing the record to 
a behavior pattern representative of the operations performed by the malicious code; and 

in the event that the record matches the malicious code behavior, then identifying the 
target program as comprising the malicious code. 

21. (Currently Amended) The memory storage device of Claim 20 further comprising 
the computer-executable step of removing the target program from the computer system in 
response to an identification of the target program comprising maUcious code so that the target 
n»T,nnt affect nerfonnance of subse quent T^roerams executed by the computer system. 
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22. (Currently Amended) A computer-implemented method for identifying a 
presence of malicious code in program code for a computer system, comprising the steps: 

virtually executing a taiget program within a virtual machine comprising a virtual 
personal computer (PC) implemented by software operative to simulate functionaUty of a 
processor, and memory and a virtual operating system having software simulating fimctionality 
of a multi-threaded operating system for the computer system wherein virtoal execution of the 
target program comprises interactions with an instance of the virtual operating system; [[and]] 

creating a record of all functions simulated by the target program during virtual execution 
of the target program by the virtual machine, the record comprising a behavior pattern 
representative of the behavior of the target program as if it were executed on the computer 
system, the behavior pattern comprising characteristics of malicious code behavior in the event 
that the target program comprises the malicious codei^ 

creating the behavior pattern hv tracking f unctions Derformed and not nerformed by thg 
tar get pioerain with flags in a behavior pat t ern field and bv tracking a sequence i^ which the 
functions are called bv the target nr opram with the behavior pattern Sgld. 

23. (Previously Presented) The computer-implemented method of Claim 22 further 
comprising the step of operating the virtual machine to analyze the record after completion of the 
virtual execution by the target program to identify an occurrence of a type of the behavior pattern 
representative of operations by the malicious code. 

24. (Previously Presented) The computer-implemented method of Claim 23 wherein, 
in the event of an identification of an occurrence of malicious code behavior by the target 
program, the method further comprises the step of identifying the target program as comprising 
the malicious code. 

25. (Currently Amended) The computer-implemented m^od of Claim 24 further 
comprising the step of removing the target program from the computer system in response to an 
identification that the target program comprises the mahcious code sq that the target program 
cannot affect performance of subsequent pm prftmR executed bv the computer system. 
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26. (Currently Amended) A memory storage device comprising computer^executable 
steps for identifying the presence of malicious code in program code in a computer system, 
comprising: 

executing a target program within a virtual personal computer (PC) bo that the target 
program completes a virtual execution by interacting only with an instance of a virtual operating 
system, the virtual PC comprising software operative to simulate fimctionality of a processor and 
memory, the virtual operating system operative to simulate fimotionaUty of a multi-threaded 
operating system for the computer system, the virtual PC and the virtual operating system 
operating in combination to form a virtual machine; 

collecting information about the behavior of the target program in response to virtual 

execution of the target program by the virmal machine; 

in response to completing virtual execution of the target program, collecting information 
about interrupt call operations tiiat call any interrupt service routine modified by the virtual 

execution of the target program; 

creating a recoM hv tracking func ti^ii'» performed and not performed by the tayget 
^m.r.m with fla ^ ^ h.ln.vinr n^em field and by trackinp a s^ g y^noe in which the Wons 
^r.. called bv the tHrp ^t w i tH the h^h«vior nattmi field, the functions comprising the 

int^int call oner^tinn. the record comprising the infomiation collected about the virtual 
execution of the target program and the inteirupt call operations that call any interrupt service 
routine modified by the virtual execution of the target program; 

analyzing the record to identify an occurrence of maUcious code behavior by comparing 
the record to a behavior pattern representative of the operations performed by the maUcious 
code; and 

in the event that the record matches the malicious code behavior, then identifying the 
target program as comprising the maUcious code. 

27. (Currently Amended) The memory storage device of Claim 26 fiurther comprising 
the computer-executable step of removing the target program from the computer system in 
response to an identification that the target program comprises maUcious code so that tiie target 
nrogram cannnt affect oerfo r m«nce of subsequent programs executed by th^ computer system . 
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28. (CurrenUy Amended) The memory storage device of Claim 26. wherein the step 
of collecting infonnation about the behavior of the target program in response to virtual 
execution of the target program comprises storing bits jW correspoTid to fr? f^f^ in a behavior 
pattem r-f-* " "^"^"^ ^"^^ nrovidinP memory for the behavior pattgm figld, the 

^nrintr nf the bits being completed in response to monitoring operating system calls, interrupts 
and I/O port read/write operations completed by the virtual machine. 

(The remainder of this page has been intentionally left blank.] 
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29. (Cuitently Amended) A memory storage device comprising computer-executable 
steps for identifying the presence of malicious code in program code in a computer system, 
comprising: 

initiaUzing a virtual machine for the computer system, the virtual machine comprising a 
virtual personal computer (PC) implemented by software simulating fimctionaUty of a central 
processing unit and memory and a virtual operating system simulating functionality of a multi- 
threaded operating system of the con^uter system, 

the initiaUzing step comprising the steps of extracting the file structure of a target 
program and loading the target program into the software-simulated memory of the virtual PC; 

executing a target program within the virtual PC so that the target program completes a 
virtual execution by interacting only with an instance of the virtual operating system; 

generating a behavior pattern by completing virtual execution of the entire code of the 
target program within the virtual PC ».nd hv tracking functions perfgrmexl and not performed bV 
tHe target nroera^n with flags m a ^ ^H=>vW pattern field and bv tracking a sequence in which the 
fimrtinnfi are call ^ hv the target pipgranu the behavior pattern representative of a sequence of 
operational functions completed by the target program during virtual execution, including at least 
one of virtual operating system calls, Input/Output functions and program functions supported by 
the target program; 

upon completion of virtual execution, operating tiie virtual machine to compare the 
behavior pattern generated by virtual execution of the target program to a behavior pattern 
representative of operations by the malicious code to identify an occurrence of malicious code 
behavior; and 

in the event that the comparison process results in a match representing an identification 
of malicious code behavior by tiie target program, then identifying the target program as 
comprising the malicious code. 

30. (Currentiy Amended) The memory storage device of Claim 29 fiirther comprising 
the computer-executable step of removing the target program from the computer system in 
response to an identification that the target program comprises maUcious code ^ t^at the target 
proeram cannot affect performance of subseouent pm f >raiifis executed bv the computer systeia - 
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31. (Previously Presented) lliememory storage device of claim 29, fiirther 

the computer-executable steps of: 

identifying a new instance of the target program; 

detennining that the new instance of the target program represents a modified version of 
ttie target program; 

analyzing the modified target program by executing the modified version of the target 
program in Uie virtual machine to provide a supplemental behavior pattem; and 

comparing within the virtual machine the behavior pattem to the supplemental behavior 
pattem to deteraiine whether the supplemental behavior pattern is altered ftom the behavior 
pattem in a manner indicative of presence of the malicious code in the modified version of the 
target program. 

32. (Previously Presented) The memory storage device of claim 29, wherein another 
supplemental behavior pattem is generated each time the target program is modified. 

33. (Previously Presented) The memory storage device of claim 29, wherein Hie 
maUcious code is detected by comparing the behavior pattem to the supplemental behavior 
pattem and identifying altered bits indicating an addition of an infection procedure to the 
modified version of the target program. 

34. (Previously Presented) The memory storage device of claim 29. wherein the 
behavior pattem is identified as a match to the supplemental behavior pattem when the modified 
version of the target program is a new version of the first program. 
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